Rapid7 has released the second edition of their now-annual “Under the Hoodie” report, which is a compilation of information and statistics compiled across Rapid7’s penetration testing teams. There’s really probably nothing terribly surprising in here, but it’s always nice to have some raw numbers of anecdotes in pocket for various conversations. Here are a few interesting tidbits or quotes I wanted to pull out.
“Relying entirely on an automated solution or a short list of canned exploits is likely to meet with failure, while a more thorough, hands-on approach nets significant wins for the attacker.” This statement has importance for internal security testing, third-party testing, and also for defenses. The first two can be obvious, but the last one about defense helps frame models, for instance the impact of an internal threat or an attacker specifically targeting a company rather than just automating a search for opportunistic moments. It also speaks between the words that an attacker with some hands-on effort and not time-boxed like a pen tester can see success.
“Furthermore, these results imply that if the penetration tester is not detected within a day, it’s unlikely the malicious activity will be detected at all.” Detection is a big deal. I’d also throw in the practice of threat hunting to find successful attackers who have gotten past the outer layer of defense and alarms. I recently deleted a draft about the whys and hows of the rise of threat hunting/intelligence (I posited it was a combination of the reduction in AV/IPS signature success, the complexity of environments, the rise of offense-friendly staff looking for offensive things to do, and other factors…). Prevention is important, but solid and effective detection matters.
“The number one issue that causes the most consternation among penetration testers is solid network segmentation. If they cannot traverse logical boundaries between environments, it can be extremely difficult to leverage a set of ill-gotten workstation credentials to escalate to domain-wide administrative privileges; even if a powerful service account has been compromised, if there’s no route between targets, the pentester must effectively start over again with another foothold in the network.”
Other factors that cause frustration for pen testers are multi-factor authentication for accounts, least privilege practices on accounts, strong patching and vulnerability management practices, and awareness to spot and report phishing campaigns, social engineering, and other low-tech attacks. What’s fun is how these 5 items are disciplines that blend security with other, very different departments: The network team for segmentation, systems/developers for 2FA/MFA, systems for patching, IAM for least access, and everyone for awareness. You can’t just boost one area of the company (or just security itself).